SPRS and Meeting CMMC Requirements with Self-Assessment

Professional cybersecurity audit framework by Lazarus Alliance  

With the activation of CMMC Phase 1 on November 10, 2025, contractors meeting Level 1 Maturity (and, in some cases, Level 2) can provide self-assessment documentation in lieu of undergoing an audit with a C3PAO. This means that every cybersecurity claim a defense contractor makes now carries the same legal weight as a cost or performance claim. 

But what does this mean for contractors in the DIB? In many cases, while it opens up plenty of opportunities to streamline compliance through self-reporting, it also opens up legal liability if that reporting isn’t accurate. 

Read More

Tech Debt and Reliance on Open-Source Security

A long, rainbow-colored digital USB plugged into a laptop.

Open-source software is the cornerstone of most IT platforms and infrastructure. This reliance extends beyond major applications; most software worldwide relies, in part, on even the smallest OSS library that solves a critical problem. 

For businesses subject to FedRAMP, CMMC, and other federal jurisdictions, this is a solid way to plan their compliance. As we’re seeing, however, OSS is just as vulnerable as other software (if not more) due to the nature of decentralized development. This has become such an issue that even members of Congress are starting to pay attention.

 

Read More

The FedRAMP 20x Phase Two Timeline

An abstract, digital cloud shaped from numbers and code, gradient from red to blue.

FedRAMP has long been the backbone of how U.S. federal agencies evaluate and trust cloud services. For more than a decade, it has provided a standardized approach to assessing security controls, granting authorizations, and maintaining ongoing oversight. Yet as cloud architectures evolved, software delivery accelerated, and agencies increasingly relied on modern DevSecOps practices, the original FedRAMP model began to show its age.

With the launch of Phase Two of the 20x pilot, the program has moved beyond experimentation and into a more consequential stage that will shape how cloud services are authorized across the federal government in the coming years.

 

Read More